Webmail Redirect Quit Working

When the certificate prompt comes up, what does it say is the reason for the failure? Has your certificate expired?

Simon.

It is saying that the certificate has expired or is not valid. Would that be the cause of the lack of redirect?

There is a good chance that would break something. You need to get the certificate renewed.

What do you mean by redirect? Are you using a frontend/backend scenario?

Simon.

I renewed the certificate and now, when testing from within the network, webmail prompts twice for authentication. Once at the "external" web address for our webmail and once at the server that hosts the mailboxes. From outside the network, only one login is needed. Is there an explanation for why this changed?

Are you using a frontend/backend scenario? Something else that is proxying the connection?

Simon.

We have a bridgehead server and that server is acting as the first point of contact. That server redirects to another server that actually holds the mailbox store. Is that the information that you are looking for? Thanks!

You haven't answered my question.

Is this a frontend/backend scenario?
Is the server an Exchange server or something else?
A bridgehead server could be anything.

Simon.

I do not believe we are not using a frontend/backend scenario. I would be able to access the server by host name if needed to get to webmail. If you could clarify what you are looking for that would be great. What exactly makes it a frontend/backend setup?
Yes, both servers previously referenced are Exchange servers

In a frontend/backend scenario you have a single server that provides OWA for all of the backend servers. This is configured as a frontend server, which is simply a matter of enabling an option in ESM. With Exchange 2000 the frontend server had to be an Enterprise Edition server - which meant their deployment wasn't as widespread.

If you do not have a frontend server, but users hit the first server for OWA access, then Exchange will attempt to redirect the user to the correct server. The redirect will be to the server's real name. That means that the server's real name must be resolvable on the internet.

In a frontend/backend scenario the user is not redirected and you don't have to worry about the server's real name resolving on the internet. It allows you to use an alias for OWA access and have an SSL certificate issued to the alias.

I don't deploy multiple Exchange servers without a frontend server because the redirection causes problems. If the site has used .local then it cannot be done. If the site has used a domain name that isn't theirs, then it cannot be done. If the site only has one IP address, then it cannot be done.

Is your backend server accessible directly over the internet by its real name?

Simon.

We are not using a true frontend/backend scenario. We are using the second scenario you describe. We have a web address that is hit by all users, and then users are redirected to the server that actually holds their mailbox. We have 6 servers that this could be. We have an SSL cert installed on both the server that users hit first and on each "mailbox" server.

We are able to go straght to the "mailbox" server by name.

The issue that we are trying to resolve is that no second authentication used to be needed for one of our Exchange servers, now it is, but only if trying to reach it from within our network. From the general Internet, no second authentication is needed for this particular server. On our other 5 servers, a second authentication is needed from the Internet.

I am trying to figure out why we suddenly need the second authentication from within our network for the one server and why from the Internet the same server does not need the second authentication, but all of our other ones do.

We have a mix of Exchange 2000 and Exchange 2003. The server that needs a second authentication from within our network, but not from the Internet is running Exchange 2000, fully patched.

I hope that I didn't confuse things more. Any ideas would be great! Thanks!

Any reason you are not using a frontend/backend? Considering that you have a mixed site you could easily stand-up a single standard Exchange 2003 server to act as a frontend.

As for your question - I have no idea. I do not deploy that scenario. As soon as the client introduces a second Exchange mailbox server it is almost mandatory to have a frontend server. It also saves having multiple servers exposed to the internet.

Considering what is happening, I am surprised that you were only getting a single prompt, because as you are not using a frontend/backend scenario there is nothing to pass the credentials across. You may well have had it working despite the configuration, not because of something that you have done, and a recent security update in either windows or Exchange, either server side or client side has fixed the flaw and broken this functionality.

Simon.

This is just how the system was set up when I inherited it. Do you have any links for articles on how to implement the frontend/backend scenario. Would it also be able to be used as a bridgehead or would I need a seperate server for that?